Tormarket Hacked – Database Leaked By… Dread Pirate Roberts

Following our previous report regarding the mutual DDOS attacks of the darknet markets, the situation has just escalated to a full marketplace Cyberwar as Dread Pirate Roberts posted a proof showing that he has the database of the competing market TOR marketplace (link to the original thread on SR2 Forums: http://silkroad5v7dywlc.onion/index.php?topic=8598.0):

=======================START QUOTE===================

To start, I would like to make this clear to everyone involved that Silk Road does not have malicious intentions or an anti-competition attitude, we actually require competition to keep us motivated and for the diversity of the network but in order to fulfill that function the competition must be a safe one which does not put people in harms way or subject to possible exploit. This post I hope will demonstrate to you why claims a market makes does not correlate to the true story and we would like to demonstrate this with Tormarket.

At this moment in time, I also want to clarify in light of recent events the full disclosure everyone deserves to know. This investigation started under the suspicion that Tormarket was behind the ongoing DDOS against Silk Road but has since taken another turn when we looked below the surface a little more. I have no conclusive proof Tormarket did or did not order the DDOS currently hitting us and personally I don’t believe I ever will so I won’t go on about this much more as it is actually not something that matters any more since we are definitely en route to fixing it if you have watched our recent developments, but over Tor such attacks are not trivial to correct. All of this is done in the name of safety and I hope the owners of Tormarket can take this seriously, go away and rethink their strategies because as I will discuss later we didn’t even put much effort in to extracting this data.

What is it I am attempting to prove?

To take it from the home page of Tormarket, I wish to publicly overturn the rumors and falsehoods of some of the below:

Quote from: TorMarket

Darknet Market done right

Secure codebase, competent operators, and common sense.

Common sense I will allow that to pass as a subjective matter and how they wish to operate their market is none of my business. Competent operators – again it would depend on your individual definition of that. Secure codebase – let us put that to the test.

Let’s start with the basics

One of the most valuable pieces of any website is the database. It controls so many parts of the site and without it there could be no effective market, so we started trying to extract the information from that. Surprise surprise, it didn’t take long to grab the structure:

Now we’ve had a sneak peak at their table structure, it was decided to have a trawl through the messages that vendors had sent to customers. We will list a little segment below, some vendors here might recognize their own messages with of course sensitive information removed from below.

Up to this point we weren’t looking for any kind of mass data extraction, but in the interest of ensuring the users of Tormarket are safe, we had to do it anyway. The summary of some of the data we went through was to see who the top buyers were, something of equal interest to law enforcement as vendors except it is more likely a buyer will have leaked personal information on the site than a vendor. So who are the top buyers:

Well let us put this forward as a simple notion. All of the above was gathered without us resorting to fancy tricky or advanced web hacks or 0-day exploits, it was something most clearnet websites run in an automated test and don’t expect to find it to pull anything. It is so simple I could actually teach the masses (very easily) how to conduct their own data gathering using some of the techniques we used and still we haven’t even explored the more advanced ones as we know we already have the information in front of us. This kind of attack shouldn’t even work against the most primitive database driven systems, let alone an online black market and absolutely anyone can do it. If law enforcement are watching I would have no doubt they found this long before us.

The observant among you have noticed by now we haven’t exposed addresses yet that is on the database table above – I trust I don’t need to dox somebody to prove my point right now and so I won’t be posting any dox and nor shall I ever, we deleted that information from our records when we saw it as it is outrageous. We tested TorMarket and found yes there is javascript on the page and sometimes it refuses to accept plaintext addresses, but the fact there are plaintext addresses in that database only concludes it is not effective at filtering addresses and in my opinion decreases security by taking the responsibility away from the user – the alternate explanation of this is that plaintext addresses are being kept as well as an encrypted form which is presented to vendors but the whole topic of saving addresses I won’t delve in to further.

Do we have more data than the above? Yes. Significantly more, but I will only do harm by publishing more so I will leave this case study with you, the users of Tor and our spectators, do you believe that Tormarket has a secure codebase, or is it just another claim like the many others who have a “secure” reputation because they just haven’t been hacked yet.

Dread Pirate Roberts

=======================END QUOTE==============

We are assuming that this is just a sample of the database judging from the high number of the user ID’s.

Later on, a silk road user admitted that he was hired by DPR to launch a DDOS attack against Tormarket:

The response from the tormarket admins was published shortly after, blaming an unknown hacker for selling the information to DPR: (this is a screenshot from SR2 forums as tormarket seems to be down at the moment)

There is no real proof in DPR’s post that Tormarket is indeed behind the recent DDOS attacks – but anyway you look at it, it seems that Tormarket’s security was lacking big time. following all these recent events after the fall of the first Silk Road – you cant help from wondering if this is the beginning of the end of the onion based markets, cause it seems that there are no survivors from this war, as one user posted on reddit:“AtlantisSilk RoadB.M.RSheep MarketplaceTormarketSR 2.0 is looking better and better.”

The main thing we are sure of is who will be the winners from this battle (if this is a battle at all and not just a part of the operation):

Hint

And the second thing that we are sure of is that the future of the decentralized marketlpaces is looking brighter by the day.

Ohh the one last thing that comes to mind when thinking about SR2 is this post we have saved from the old forums just after they went down, using the Google cache of the onion.to address:

So everyone, stay skeptical – there are no good guys and bad guys in this story, not ones that we can be sure of at least

As always, i would like to say that we will keep following and reporting as this develops but our only reaction to this is being summed up by this mostly:

3 comments

Yes, it’s heating up quite nicely. Maybe DPR3 will do better. This one’s time is limited. Double facepalm.

Quote from: Dread Pirate Roberts on Today at 08:19:10 am
silencefanboy: You are right about one thing, I am a dictator. I have the sole power of this market and ultimately I call all the shots. If you wish to run a democratic market then it will fail because all it will do is give away security information to a large amount of people and it is difficult to have a fair election in a totally anonymous environment. Until the day comes it can be free and fair, you have me and so far I am not the one who has gaping security holes in their market.

I do and choose as I please, I do care what people think but I am not here to make the popular decisions I am here to make the tough decisions or I would serve no purpose. So yes, your petition means very little because right now Tormarket does concern me as every risk they pose to users is a risk to the very people I am trying my best to defend. Ultimately your vote is where you choose to spend your time and bitcoins procuring products, not a petition since less than 4% of the market use the forums.

Defending them by posting their buying info for all to see? How many sr users’ details did you post? Fuck me are you real cunt? Those embarrassing lies might work for the fangirls but you are just an immature 23yo nerdlinger throwing a tantrum protesting you and your site’s irrelevance.

Where the fuck is the proof that tm are behind the ddos attacks? If you can’t prove it then you are at best surmising, it is disgusting to see a darknet market owner undermining other markets on a hunch. Ross or backopy would never do anything that fucked up, you are an embarrassment.

OK, so if the data is real then one of three things happened. 1) He paid someone at TM for the information. 2) There was most likely a SQL Injection exploit where the database table names were way too easy to guess and the “hacker” executed SELECT statements via some input element and was able to retrieve results in the site’s response.. 3) There was some configuration/installation script that was not removed and they accessed it to gain the DB server credentials.

I want to know, who the fuck would trust this DPR after such outrageous and reckless actions? If the fucker does have the entire database and it has addresses in clear text, then I’m willing to bet that there is no way the DB was deleted from his servers. Seems to me like a PERFECT bargaining chip to offer when it’s time to suck some LE dick…. What the fuck is wrong with these people?? I mean seriously.. For years we created a way to bypass the outdated, unjust laws that plague freedom of choice, and these dumb fuckers have fucked it all up. Seriously WTF is wrong with you????